BigW Consortium Gitlab

group.rb 9.27 KB
Newer Older
Steven Thonus committed
1 2
require 'carrierwave/orm/activerecord'

3
class Group < Namespace
4
  include Gitlab::ConfigHelper
5
  include AfterCommitQueue
6
  include AccessRequestable
7
  include Avatarable
8
  include Referable
9
  include SelectForProjectAuthorization
10
  include LoadedInGroupList
11
  include GroupDescendant
12

13
  has_many :group_members, -> { where(requested_at: nil) }, dependent: :destroy, as: :source # rubocop:disable Cop/ActiveRecordDependent
14
  alias_method :members, :group_members
15
  has_many :users, through: :group_members
16
  has_many :owners,
17
    -> { where(members: { access_level: Gitlab::Access::OWNER }) },
18 19 20
    through: :group_members,
    source: :user

21
  has_many :requesters, -> { where.not(requested_at: nil) }, dependent: :destroy, as: :source, class_name: 'GroupMember' # rubocop:disable Cop/ActiveRecordDependent
22
  has_many :members_and_requesters, as: :source, class_name: 'GroupMember'
23

Felipe Artur committed
24
  has_many :milestones
25
  has_many :project_group_links, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
26
  has_many :shared_projects, through: :project_group_links, source: :project
27
  has_many :notification_settings, dependent: :destroy, as: :source # rubocop:disable Cop/ActiveRecordDependent
28
  has_many :labels, class_name: 'GroupLabel'
Shinya Maeda committed
29
  has_many :variables, class_name: 'Ci::GroupVariable'
30
  has_many :custom_attributes, class_name: 'GroupCustomAttribute'
Andrey Kumanyaev committed
31

32
  validate :avatar_type, if: ->(user) { user.avatar.present? && user.avatar_changed? }
33
  validate :visibility_level_allowed_by_projects
34
  validate :visibility_level_allowed_by_sub_groups
35
  validate :visibility_level_allowed_by_parent
36

37
  validates :avatar, file_size: { maximum: 200.kilobytes.to_i }
Steven Thonus committed
38

39 40
  validates :two_factor_grace_period, presence: true, numericality: { greater_than_or_equal_to: 0 }

41
  mount_uploader :avatar, AvatarUploader
42
  has_many :uploads, as: :model, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
43

44 45
  after_create :post_create_hook
  after_destroy :post_destroy_hook
46
  after_save :update_two_factor_requirement
47
  after_update :path_changed_hook, if: :path_changed?
48

49
  class << self
50 51 52 53
    def supports_nested_groups?
      Gitlab::Database.postgresql?
    end

54
    def sort(method)
55 56 57 58 59 60 61
      if method == 'storage_size_desc'
        # storage_size is a virtual column so we need to
        # pass a string to avoid AR adding the table name
        reorder('storage_size DESC, namespaces.id DESC')
      else
        order_by(method)
      end
62
    end
63 64

    def reference_prefix
65 66 67 68 69
      User.reference_prefix
    end

    def reference_pattern
      User.reference_pattern
70
    end
71 72 73 74

    def visible_to_user(user)
      where(id: user.authorized_groups.select(:id).reorder(nil))
    end
75 76 77

    def select_for_project_authorization
      if current_scope.joins_values.include?(:shared_projects)
78 79
        joins('INNER JOIN namespaces project_namespace ON project_namespace.id = projects.namespace_id')
          .where('project_namespace.share_with_group_lock = ?',  false)
80
          .select("projects.id AS project_id, LEAST(project_group_links.group_access, members.access_level) AS access_level")
81 82 83 84
      else
        super
      end
    end
85 86
  end

87
  def to_reference(_from = nil, full: nil)
88
    "#{self.class.reference_prefix}#{full_path}"
89 90
  end

91
  def web_url
92
    Gitlab::Routing.url_helpers.group_canonical_url(self)
93 94
  end

95
  def human_name
96
    full_name
97
  end
98

99
  def visibility_level_allowed_by_parent?(level = self.visibility_level)
Rubén Dávila committed
100
    return true unless parent_id && parent_id.nonzero?
101

102 103
    level <= parent.visibility_level
  end
104

105
  def visibility_level_allowed_by_projects?(level = self.visibility_level)
106
    !projects.where('visibility_level > ?', level).exists?
107
  end
108

109
  def visibility_level_allowed_by_sub_groups?(level = self.visibility_level)
110
    !children.where('visibility_level > ?', level).exists?
111 112
  end

113 114 115 116
  def visibility_level_allowed?(level = self.visibility_level)
    visibility_level_allowed_by_parent?(level) &&
      visibility_level_allowed_by_projects?(level) &&
      visibility_level_allowed_by_sub_groups?(level)
117 118
  end

119 120 121 122
  def avatar_url(**args)
    # We use avatar_path instead of overriding avatar_url because of carrierwave.
    # See https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11001/diffs#note_28659864
    avatar_path(args)
123 124
  end

125 126 127 128 129 130 131
  def lfs_enabled?
    return false unless Gitlab.config.lfs.enabled
    return Gitlab.config.lfs.enabled if self[:lfs_enabled].nil?

    self[:lfs_enabled]
  end

132
  def add_users(users, access_level, current_user: nil, expires_at: nil)
133
    GroupMember.add_users(
134 135 136 137 138 139
      self,
      users,
      access_level,
      current_user: current_user,
      expires_at: expires_at
    )
140 141
  end

142
  def add_user(user, access_level, current_user: nil, expires_at: nil)
143 144 145 146 147 148 149
    GroupMember.add_user(
      self,
      user,
      access_level,
      current_user: current_user,
      expires_at: expires_at
    )
150 151
  end

152
  def add_guest(user, current_user = nil)
153
    add_user(user, :guest, current_user: current_user)
154 155 156
  end

  def add_reporter(user, current_user = nil)
157
    add_user(user, :reporter, current_user: current_user)
158 159 160
  end

  def add_developer(user, current_user = nil)
161
    add_user(user, :developer, current_user: current_user)
162 163 164
  end

  def add_master(user, current_user = nil)
165
    add_user(user, :master, current_user: current_user)
166 167
  end

Douwe Maan committed
168
  def add_owner(user, current_user = nil)
169
    add_user(user, :owner, current_user: current_user)
Douwe Maan committed
170 171
  end

172 173 174 175 176 177
  def member?(user, min_access_level = Gitlab::Access::GUEST)
    return false unless user

    max_member_access_for_user(user) >= min_access_level
  end

Douwe Maan committed
178
  def has_owner?(user)
179 180
    return false unless user

181
    members_with_parents.owners.where(user_id: user).any?
Douwe Maan committed
182 183 184
  end

  def has_master?(user)
185 186
    return false unless user

187
    members_with_parents.masters.where(user_id: user).any?
Douwe Maan committed
188 189
  end

190 191
  # Check if user is a last owner of the group.
  # Parent owners are ignored for nested groups.
Douwe Maan committed
192
  def last_owner?(user)
193
    owners.include?(user) && owners.size == 1
Douwe Maan committed
194 195
  end

Steven Thonus committed
196 197 198 199 200
  def avatar_type
    unless self.avatar.image?
      self.errors.add :avatar, "only images allowed"
    end
  end
201

202
  def post_create_hook
203 204
    Gitlab::AppLogger.info("Group \"#{name}\" was created")

205 206 207 208
    system_hook_service.execute_hooks_for(self, :create)
  end

  def post_destroy_hook
209 210
    Gitlab::AppLogger.info("Group \"#{name}\" was removed")

211 212 213 214 215 216
    system_hook_service.execute_hooks_for(self, :destroy)
  end

  def system_hook_service
    SystemHooksService.new
  end
217

218
  def refresh_members_authorized_projects(blocking: true)
219
    UserProjectAccessChangedService.new(user_ids_for_project_authorizations)
220
      .execute(blocking: blocking)
221 222 223
  end

  def user_ids_for_project_authorizations
224
    members_with_parents.pluck(:user_id)
225 226 227
  end

  def members_with_parents
228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244
    # Avoids an unnecessary SELECT when the group has no parents
    source_ids =
      if parent_id
        self_and_ancestors.reorder(nil).select(:id)
      else
        id
      end

    GroupMember
      .active_without_invites
      .where(source_id: source_ids)
  end

  def members_with_descendants
    GroupMember
      .active_without_invites
      .where(source_id: self_and_descendants.reorder(nil).select(:id))
245 246 247
  end

  def users_with_parents
248 249 250
    User
      .where(id: members_with_parents.select(:user_id))
      .reorder(nil)
251
  end
Z.J. van de Weg committed
252

253
  def users_with_descendants
254 255 256
    User
      .where(id: members_with_descendants.select(:user_id))
      .reorder(nil)
257 258
  end

259 260 261
  def max_member_access_for_user(user)
    return GroupMember::OWNER if user.admin?

262 263 264 265
    members_with_parents
      .where(user_id: user)
      .reorder(access_level: :desc)
      .first&.
266 267 268
      access_level || GroupMember::NO_ACCESS
  end

Z.J. van de Weg committed
269 270 271 272 273 274 275 276 277
  def mattermost_team_params
    max_length = 59

    {
      name: path[0..max_length],
      display_name: name[0..max_length],
      type: public? ? 'O' : 'I' # Open vs Invite-only
    }
  end
278

Shinya Maeda committed
279
  def secret_variables_for(ref, project)
280 281 282 283 284
    list_of_ids = [self] + ancestors
    variables = Ci::GroupVariable.where(group: list_of_ids)
    variables = variables.unprotected unless project.protected_for?(ref)
    variables = variables.group_by(&:group_id)
    list_of_ids.reverse.map { |group| variables[group.id] }.compact.flatten
Shinya Maeda committed
285 286
  end

287 288 289 290 291 292
  def full_path_was
    return path_was unless has_parent?

    "#{parent.full_path}/#{path_was}"
  end

293 294 295 296 297 298 299 300
  def group_member(user)
    if group_members.loaded?
      group_members.find { |gm| gm.user_id == user.id }
    else
      group_members.find_by(user_id: user)
    end
  end

301 302 303 304
  def hashed_storage?(_feature)
    false
  end

305
  private
306 307 308 309 310 311

  def update_two_factor_requirement
    return unless require_two_factor_authentication_changed? || two_factor_grace_period_changed?

    users.find_each(&:update_two_factor_requirement)
  end
312

313 314 315 316
  def path_changed_hook
    system_hook_service.execute_hooks_for(self, :rename)
  end

317 318 319
  def visibility_level_allowed_by_parent
    return if visibility_level_allowed_by_parent?

320
    errors.add(:visibility_level, "#{visibility} is not allowed since the parent group has a #{parent.visibility} visibility.")
321 322 323 324 325
  end

  def visibility_level_allowed_by_projects
    return if visibility_level_allowed_by_projects?

326
    errors.add(:visibility_level, "#{visibility} is not allowed since this group contains projects with higher visibility.")
327 328 329 330 331
  end

  def visibility_level_allowed_by_sub_groups
    return if visibility_level_allowed_by_sub_groups?

332
    errors.add(:visibility_level, "#{visibility} is not allowed since there are sub-groups with higher visibility.")
333
  end
334
end